Hello Nanog's
I offer a question to help me settle an internal debate. As a network
engineer for a large enterprise, do you choose ISP flexibility or ISP
security when you build an OOB network? I was tasked to create an OOB
network for my company. Realistically it would only be deployed to 25%
of the companies sites as they are considered important enough to
justify the cost. The design is simple enough. Hub and spoke using
cellular routers. DMVPN will carry data from the spoke to the hub.
The real debate arrives when it's time to choose a carrier to host the
router. I choose to go with a major cell carrier using a "private"
APN. It allows me to connect my cell routers to a private layer 2
network and my private IP addresses will be used to provide layer 3
connectivity. I know that there will be outliers that can't use this
carrier or cellular at all. These outliers, in my opinion, shouldn't
have a majority stake in the overall design. The APN overall cost is
low and so is the data plan for the hosted routers. The private APN
also eliminates the router as an internet attack vector. I don't
believe routers are appropriate security appliances to defend and
monitor against network threats.
Some of my colleagues believe that the flexibility of public cellular
access outweighs the security risks. The cellular internet will
provide us with a solution for more of the outliers than a private
APN. I don't agree with this philosophy even though it's not
"technically" wrong. I am interested in a broader range of opinion and
technical reasoning.
Nanog member KELLYSP
I'm not sure I see the sides of the debate. I personally see no
utility at all in paying premium for APN, I see it as a way to pay a
premium to get liability. There are no improvements in security
posture but obviously if there is APN specific outage, outage in your
APN is not going to be much of a priority compared to outage at
consumer APN, which is fire drill.
As well as you make it a lot harder to procure and negotiate,
particularly if you expand to new markets. Compared to dial-home DMVPN
where you have no requirements above most standard INET access
offered.
I assume you mean DMVPN with IPSEC. If you don't imply IPSEC, then I
assume security wasn't a metric for this product.
I probably would not choose the Private APN. I get the appeal, but I
would probably use router ACLs to restrict traffic only to other
endpoints in the VPN mesh. Exploits/methods that could get around this
are few and far between, and the benefits are numerous, namely, you
aren't tied to one cell provider, and you aren't even tied to the
cellular medium (which might be important).
If, for some reason, being tied to one carrier was not any concern,
AND I had an amazingly good deal with my carrier on the APN, then my
opinion might change, but that just seems unlikely to me.
I do not think it is an excessive burden to remain on top of software
releases, such that, if there was some exploit that could breach the
ACL protection, you would be able to patch it very quickly. And since
it's just OOB, you can test it on three or four boxes, then just blast
the upgrade out to all of them at once using Ansible or whatever.
Maybe this talk from NLNOG 2020 is of interest to you concerning OOB.
The real debate arrives when it's time to choose a carrier to host the
router. I choose to go with a major cell carrier using a "private"
APN. It allows me to connect my cell routers to a private layer 2
network and my private IP addresses will be used to provide layer 3
connectivity. I know that there will be outliers that can't use this
carrier or cellular at all. These outliers, in my opinion, shouldn't
have a majority stake in the overall design. The APN overall cost is
low and so is the data plan for the hosted routers. The private APN
also eliminates the router as an internet attack vector. I don't
believe routers are appropriate security appliances to defend and
monitor against network threats.
Hi Sean,
You want vendor lock-in on your emergency access path? Are you sure?
Some of my colleagues believe that the flexibility of public cellular
access outweighs the security risks.
I think your colleagues are correct. Shoot for an OOB solution that
allows you to pick the best technology and vendor for each site you
choose to protect. That won't necessarily even be cellular everywhere.
Regards,
Bill Herrin
